Re: #549 augment security considerations from Michael Sweet on 2014-01-13 (ietf-http-wg@w3.org from January to March 2014)

From: Michael Sweet <msweet@apple.com>
Date: Mon, 13 Jan 2014 17:15:25 -0500
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <A52128DE-F713-4CDB-B85A-BB69C18E1FD2@apple.com>

+1 on option 2, although I don't think you need to call out any particular organization (people know how to do a web search...)


On Jan 13, 2014, at 2:35 PM, Julian Reschke <julian.reschke@gmx.de> wrote:

> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/549>:
> 
> Stephen F. came up with the DISCUSS below during IESG review:
> 
>> Discuss (2013-12-19)
>> 
>> There was originally supposed to be a separate deliverable to describe the security properties of HTTP, but that's not happening. I think its fair to say that the security considerations here (or across the entire set) don't really do all of that as well. I think that does leave a gap. However, I'm not sure what to do about that, since I don't believe there's any real chance of getting anyone to address this gap - its been tried and apparently failed, and with lots of security work in HTTP/2.0, its extremely unlikely that a victim will be found for this un-fun task.
>> 
>> That said, I do think it'd be worthwhile if the authors made an attempt to fill that gap by spending some cycles on finding a good set of references to HTTP security topics and adding those to the security considerations sections of p1 and/or p2.
>> 
>> Now, I'm sure that the authors won't want to do that (who ever wants to do a state-of-the-art study? even a tiny one like this) so the point I want to DISCUSS with the IESG initially and then with the chair and authors is whether or not that's a reasonable ask. (So, authors, no need to chime in just yet.)
> 
> We discussed this somewhat more, and it appears there is no energy to write additional security considerations, nor to spend a lot of time reviewing existing research in the hope of finding something we could reference.
> 
> Two ideas came up:
> 
> 1) Citing http://tools.ietf.org/html/rfc6819, and
> 
> 2) Point people to sites that publish security research.
> 
> WRT 1) I'm not too enthusiastic citing anything OAuth related from the HTTP spec.
> 
> WRT 2), I'd propose to add a single sentence to the end of the introduction of *each* Security Considerations appendix, such as:
> 
> "Note that the list of considerations below is not exhaustive --
> security analysis in an ongoing activity. Various organizations, such as
> the Open Web Application Security Project (OWASP,
> <https://www.owasp.org/>), provide information about current research."
> 
> Feedback appreciated,
> 
> Julian
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Monday, 13 January 2014 22:15:55 UTC